China recently released new drafts of its Data Security Law and its Personal Information Protection Law for public comment; when finalized the two laws will impose significant obligations on how companies collect, process, and transfer data while operating in, or transacting with, companies or individuals in China.
China's National People's Congress Standing Committee recently released a second draft of two laws that will significantly impact how all companies operating in or transacting with companies or individuals in China may collect, process, and transfer data. The two draft laws are the Data Security Law, which will govern the processing of "important data," and the Personal Information Protection Law ("PIPL"), which will govern the processing of personal information.
Notable revisions to the draft Data Security Law include the introduction of a hierarchical classification system for data and further restrictions on transfers of "important data" out of China, especially with respect to providing data to foreign law enforcement authorities or judicial bodies. Such restrictions could impact even data transfers between affiliated corporate entities. The new draft also increases penalties for breach of the Data Security Law with fines on entities ranging from RMB 100,000 to RMB 1 Million (US$15,500 to US$155,000), and fines on individuals ranging from RMB 10,000 to RMB 200,000 (US$1,550 to US$31,000).
Notable revisions to the draft PIPL suggest drafters have taken into account previous comments from the international community, as some revisions have brought the PIPL closer to principles in the European Union's General Data Protection Regulation ("GDPR"). This includes contemplating the use of standard clauses for safeguarding data transfers out of China based on a model contract from the Cybersecurity Administration of China, and clarifying that certain limited processing of personal information is permissible without consent. The grounds for such processing are more limited than under the GDPR, however. In particular, there is still no counterpart in the PIPL for the GDPR’s widely and flexibly used "legitimate interest" lawful basis. Similar to the GDPR, the PIPL includes significant fixed penalties (up to RMB 50 million (US$7.75 million)) and turnover based penalties (up to 5% of annual turnover from the prior financial year) for serious violations.
When coupled with the 2017 Cybersecurity Law, the new laws will form the three pillars of China’s data governance and cybersecurity legal regime. As with the Cybersecurity Law, the new laws' breadth, vagueness, and complexity will provide authorities with substantial discretion in their enforcement efforts.
Both draft laws are open for public comments until May 28, 2021. Companies should anticipate that the National People's Congress will finalize both laws before the end of 2021 and should prepare accordingly, including by conducting a thorough analysis of both laws, and by familiarizing themselves with enforcement trends of other Chinese data regulations.